Within hours of a cyber incident that disrupted some of its services, Ohio-based Kettering Health said fraudsters were calling its patients and requesting credit card payments for medical expenses.
WHY IT MATTERS
A network cyber attack limiting access to patient care systems across Kettering's 14 medical centers and more than 120 outpatient facilities caused a call center outage and resulted in the cancellation of elective surgeries, the health system explained in an online statement on Tuesday.
"Earlier this morning, Kettering Health experienced a system-wide technology outage, which limited our ability to access certain patient care systems across the organization," the statement reads. "We have procedures and plans in place for these types of situations and will continue to provide safe, high-quality care for patients currently in our facilities."
Emergency rooms and clinics remained open.
The threat actors posted a ransom note to the health system's network that threatened to leak sensitive and protected data it had stolen unless Kettering negotiated an extortion fee, as reported by CNN.
The note led the victim to an extortion site associated with the Interlock ransomware gang, according to the story.
Later that day, Kettering Health updated its system-wide technology outage bulletin to confirm the scam calls and announce that it was holding off on normal billing calls.
THE LARGER TREND
Healthcare organizations are targeted because they have been deemed more likely to respond to extortion demands, which can often put patient safety at risk. If providers do not pay ransom demands, cybercriminals could cash in on the valuable health data they steal by attempting to sell it on the dark web.
Researchers at Cisco's Talos Intelligence have said they've observed an attacker conducting big-game hunting and double extortion attacks using Interlock ransomware.
"Our analysis uncovered that the attacker used multiple components in the delivery chain, including a remote access tool masquerading as a fake browser updater, PowerShell scripts, a credential stealer and a keylogger before deploying and enabling the ransomware encryptor binary," Talos researchers said in a 2024 blog post.
The attacker moved laterally within the victim’s network and used Azure Storage Explorer to exfiltrate the victim’s data to an attacker-controlled Azure storage blob, Cisco researchers said.
"The group has notably targeted businesses in a wide range of sectors, which at the time of reporting include healthcare, technology, government in the U.S. and manufacturing in Europe," they added.
Then, on April 28, the Chicago Health System Coalition said in an advisory bulletin that Interlock was aggressively targeting healthcare organizations.
"The uptick in Interlock ransomware incidents is impacting the breadth of the sector and does not appear to be targeting specific types of healthcare and public health organizations or geographic regions," the coalition noted.
Conducting regular product security assessments and participating in threat intelligence sharing programs are essential to protect against threats like Interlock, according to Douglas McKee, executive director of threat research at SonicWall, a network security firm.
"These aren’t nice-to-haves – they’re critical for staying ahead of adversaries who are constantly evolving their tactics," McKee said by email on Tuesday. "This isn’t just a wake-up call – it’s a repeat alarm we keep hitting snooze on. We have to shift from reactive response to proactive defense."
ON THE RECORD
"While it is customary for Kettering Health to contact patients by phone to discuss payment options for medical bills, out of an abundance of caution, we will not be making calls to ask for or receive payment over the phone until further notice," health system officials said in a statement.
English (US) ·